Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

talkinsecurity writes "A single contractor, privately-held Verus Inc., has been traced as the source of no less than five hospital security breaches in the past two months — and those breaches have put the company out of business in a matter of weeks. Verus, which managed the websites of as many as 60 of the country's largest hospitals, has folded its entire business within the past few weeks, without a word to anyone. Apparently, a single IT error led to the exposure of at least five hospitals' patient data — at least 100,000 individuals' personal information — and caused Verus' primary investor to pull the plug. The hospitals, which initially reported their breaches separately, were left with no one to sue."

Lots of people on slashdot extoll the virtues of un-fettered capitalism. "No need for government regulation, sue those who breach their contract!". Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!

But it's governement regulations that have made it that way. the BOD of corporations should be ultimately responsible for the actions of the entire company. Since Corporations are a government protected body by removing the regulations protecting them opens the BOD up to others.

Limited liability is a double edged sword to be sure, but IMHO society is better of with the concept than without it. Consider bankruptcy for example, that is a form of "limited liability" as it applies to the individual. It ensures that your creditors cannot pursue you until to your dying day for your last penny due to circumstances beyond your control. There are abuses sometimes yes, and do not think that this investor is home free, if a lawyer can prove negligence in the breaches AND that the investor knew about the problems and did nothing then the investor can be held accountable for negligence, limited liability or not. The concept of limited liability exists to protect people from personal ruin from forces beyond their control, but it is not carte blanch to commit fraud, breach contract, or engage in negligent behavior.

If limited liability only applies to capital, then why do corporations rather than the CEO or board get fined when the corporation commits a crime? People use corporations as a shield against prosecution all the time. It sickens me to see what they get away with, and that's just what we hear about. Corporations don't kill people, the people running corporations kill people, and they get away with it. For instance, why did Warren Anderson [wikipedia.org] go free?

How much was consumed in cold war spending?It's not on me to get into a debate about the efficiencies of historical systems with different problems in different environments, the point is that these technological marvels are not the sole province of modern capitalism and the corporate structure, as you insinuated.

Do you believe that we've achieved Utopia, a state beyond our capacity to surpass?

Do you think there will not be a better system that isn't a stepwise refinement, but a replacement?

Get rid of the notion of limited liability for corporate officers. Simply alter corporate law so that corporate officers can be held directly accountable, so that when Mega-Chemical Corporation spills toxins into public drinking water, not only is the corporation taken to the cleaners, but the officers of the company are also taken to the cleaners. Thus, even if Mega-Chemical Corporation folds, we can still get our pound of flesh out of the officers.

I'd wager it would be a boon for corporate governance if these turkeys knew that they would feel the weight of full liability.

"Right, so get rid of corporations. That's what the OP was trying to say in the first place."

Well, that's not a great thing actually. The vast majority of companies and businesses are SMALL businesses. If you take that shielding away, you'd open up most businesses that are small, mostly private individuals, and you'd have them risking personal bankruptcy and ruin, for even minor problems.

No one is going to risk their families welfare that way, and you'd kill small businesses in the US. For a person to ta

Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!

Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again. Maybe it would satisfy people if the guy killed himself?

Can he magically make the security breaches un-happen?

At most, if the company stayed around, it could be sued for the costs involved in the cleanup -- but the only winners there would be the lawyers.

Yes, but nothing's stopping these people from forming a new company and doing the same thing again.

1. Assuming the new company needs capital investment, they have to convince someone to invest. If investors don't do their homework, then they have only themselves to blame if the investment goes south (as presumably this one did).

2. If you contract with that new company without doing a little bit of background research, and your data gets exposed next time -- well, I guess that means selecting a vendor wasn't important enough to take the time to do it right, correct?

3. The IT mistake was not intentional / malicious, it was a mistake. While that should be a black mark on the reputation of former employees / owners, it shouldn't prevent them from ever working again; they just have to convince investors / clients that they have learned from that mistake and have policies / procedures in place to prevent it from happening again (assuming said investors / clients actually do their homework & check the vendor's reputation).

I'm guess that means your corporate reputation goes out the window, for not doing sufficient research on vendors for critical services.

Unfortunately, when the company folds protecting the stakeholders there is nobody left to sue! Oooops! There goes that darn accountability!

Eh? The company was destroyed. If you think the company should be punished, is there any better punishment? Isn't this a good thing? It means that the company is not going to do that again. Maybe it would satisfy people if the guy killed himself?

The problem with that is that a corporation is kind of an ethereal entity to begin with: it never really existed, except as an abstract concept, so "punishing" it is kind of meaningless.

Here's an analogy. Steve is a plumber. You hire Steve to replace the pipes in your house. Instead, he screws up so badly that you can no longer live in your house. You go to sue him, but he says "sorry, I'm not Steve any more. You can call me Frank, and you can't sue me, 'cause I'm not Steve."

That's basically what's happening here. The people responsible for this cannot be held accountable, because they no longer call themselves Careless, Inc.

Take Sony and the distribution of malware with its CDs. A person (read: human being) would be doing time for it. Read the law. Creation and distribution of malware on a commercial premise. Fits like a glove in this case. Punishable, depending on your country, with up to 10 years in jail. Especially when you can credibly claim that the person in question actually did pursue commercial interests (which is trivial in this case).

But you can't do that to an international corporation! First of all, how do you imprison Sony? And think of all the jobs! And think of the tax (yeah, right, like I didn't pay more tax than Sony, in percent of my income...). And think of the political...

Bullcrap. In a nutshell, corporations are above the law. They can break them as they want and if anything, they get a waggle of a finger and a puppy eyed "please, please don't do it again, mmmkay?"

However, the alternative to corporations: Government controlled monopolies, are also above the law (try suing the Social Security administration or IRS for compromising your data!!). And the police and justice system that is supposed to "regulate" the corporations are above the law (or do you expect the FBI to be abolished and the President to go to prison for those illegal wiretaps they were doing?!).

All large social entities: governments, corporations, religions, are above the law, because the concepts of law and justice apply to individuals, not masses of people.

So people shouldn't be able to write their liability off on the chance of there being someone else to pass the buck to later. These hospitals are now discovering where the liability stops...If the hospitals had thought they were on the hook for the results of these systems they'd have demanded far simpler ones they could audit. Instead they buy a more complex system because of lies about its safety. This makes it almost impossible for honest firms to compete. If you discuss security issues you sound like mo

Ah, so the board of directors should be sued for all of their personal assets in order to pay for Joe Coder's mistake in leaving a backdoor opens. How many people do you think would start up businesses if they knew mistakes made by any employee could bankrupt them?

Because major corporations have no chance at ruining peoples' lives the way engineers do? Ask yourself why professional engineers are held to such a standard in society, then ask yourself what effect other private corporations can have on peoples' lives.

Large corporate decision makers should not be immune from blame for their mistakes -- with great power and all that.

How many thousands of people lost their life savings when Enron folded? (Days before the end, the CEOs and other higher ups were selling their stock like it was on fire, while other investors - mostly employees of the state of California - were locked-out and unable to sell their holdings). What about MCI/Worldcom? What about ValueJet, which had dozens of safety violations prior to the crash of Flight 592 [wikipedia.org] and for which the company was later indicted on 100+ counts of murder? What about Power Fasteners, whic

In those cases the executives in question committed criminal acts and were charged with crimes. There's a difference between being punished because you did something wrong, and being punished because some goon five level down from you on the corporate chain made a dumb mistake. The OP mentions that as a professional engineer he is responsible for the action of his company, despite the fact that it is a corporation. Of course all professional engineering companies are REQUIRED to have at least one supervi

I think you missed the point. If Engineers are legally liable for their work that can put people at risk, perhaps Programmers should be legally liable for their work that can put people at risk. Maybe instead of figuring out how to line their pockets with money with their "certifications," Novell, Microsoft, Cisco, et al. could pool resources and lobby for a legally-weighty certification for Software Engineers much conventional Engineers already have. Perhaps an Engineer could enlighten me on the history of how those things evolved for them.

You could have a Class-C license to code and that would mean you know how to develop without buffer-overrun vulnerabilities, SQL-injection vulnerabilities, things like that. A top Class-A license to architect secure designs and robust inter-system communications.

CEOs and board members only know how to run a company: you know, management, budgets, allocations, etc. I'd be very surprised if Widgets, Inc. CEOs know the exact procedure and design decisions that lead to Widget Model 3928 being the way it is.

Of course, the court system will help determine whether it was a renegade programmer or whether board-imposed policies and procedures lead to the hiring of an unlicensed one.

Perhaps an Engineer could enlighten me on the history of how those things evolved for them.

Check out the Code of Hammaurabi, a Babylonian king, which said that, if a person builds a building for another and the building falls in and kills the owner, the builder shall be put to death. There are other parts as well, but the total is that the builder/engineer is held responsible/liable for the construction done by that builder/engineer.

I can already tell you the results: Every failure is a result of both management and engineer failures.

You are suggesting that all of senior management and many of the engineers at Boeing should all go bankrupt when a plane crashes due to a design flaw (because some jury awarded 10 billion for pain and suffering), then I would no longer invest, work, or serve in the US. I wouldn't be the only one.

Basically, you are suggesting the economic suicide for an entire country.

I think you missed the point. If Engineers are legally liable for their work that can put people at risk,....You could have a Class-C license to code

That is BS, you would get canned right away for not doing what the boss says irregardless of what you think. I am faced with these arguments it seems every 2 weeks. I just make sure I have my CYA in good old fashioned printed emails.

The ONLY solution is to hold those in power, primarily senior management (hospitals and contractor) accountable. That mean

If Engineers are legally liable for their work that can put people at risk, perhaps Programmers should be legally liable for their work that can put people at risk.

Reality check : Most programmers are under commercial pressures from managers and customers. For example, as a programmer I can reccommend using Misra-C and a very thorough testing regime for a project but that doesn't mean the customer is willing to pay for it.

This has always been a real bugbear of mine and I suspect always will be. Given that t

Reality check : Most programmers are under commercial pressures from managers and customers.

Reality check: Most engineers are under commercial pressures from managers and customers. That doesn't mean that if my boss wants me to use paper clips instead of my recommendation of high-tensile steel bolts, I'm on firm ethnical ground saying "Okay, paper clips it is." I have a professional, ethical responsibility to not build shoddy product. Don't programmers?

The same standard IS applied. When an engineer is sued it is because his design was faulty, not because the building contractor used shitty concrete. If said contractor used shitty concrete, HE will be sued into oblivion.

Likewise, if the policies enacted by a companydirect actions defraud the public out of millions of dollars, they will be held acountable (see : Enron). If Joe Sixpack in accounting trafficks data all on his own, why should the CEO be held accountable?

The same standard IS applied. When an engineer is sued it is because his design was faulty, not because the building contractor used shitty concrete. If said contractor used shitty concrete, HE will be sued into oblivion.

And so will the engineer, because his responsibility doesn't end once construction starts... part of his job is to monitor the quality of materials, methods and installed equipment and to make necessary adjustments to the design if things can't be worked out in the field.

Actually, engineers routinely do get out of responsibility for disasters. Part of the reason is that they let their bosses and the prosecutors know about the "paper trail" that they have kept. They threaten to show in court that they knew about the problems, warned their superiors about the problems, and were ordered to ignore the problems. The prosecutors then carefully forget about them.

The poster child for this, of course, is NASA's history after the Challenger disaster. The immediate desire was to blame the engineers. But the engineers were happy to cooperate with the investigations, because they had copious records showing that they knew about the potential problems, tried to delay the launch, and were overridden by management. Subsequent analyses (by engineers;-) showed that what went wrong was a known possibility during cold-weather launches, and that a lot of the engineers had indeed tried to delay the launch.

The real disappointment in this and similar disasters is that the managers who override (or ignore) the engineers are almost never held responsible. NASA did do a bit of management shuffling, true, but nobody takes this seriously. With most corporate disasters, even when the CEO or other officer "resigns", he typically walks off with huge amounts of money and no punishment at all. The exceptions are so rare (think Ken Lay) that corporate managers really don't consider it a serious possibility.

In the case of software, it's routine for management to order the use of packages that the engineers know to be insecure and/or unsecurable. I've seen it over and over. The developers know that they just have to live with this, and make the best of a bad management decision. The only way to change this is to make the actual decision makers responsible for the consequences. Does anyone seriously think this is likely to ever happen?

And if those corporate executives push faulty designs or pressure bad descisions? Mansluaghter charges are being saught [boston.com] in connection with the Power Fasteners company after it was found they knowingly ignored issues with epoxy based fasteners that later led to a woman's death in the Boston Harbor tunnel. Other companies involved in this and massive cost overruns and poor design descisions (major leakage in tunnel), such as Bechtel and Modern Continental Construction, have seemingly gotten off the hook.

Aren't these the same directors who (for Enron, Worldcom/MCI, Adelphia Communications, etc) claimed that they had no idea that their companies were operating deeply in the red and that their quarterly earnings reports weren't worth the paper they were printed on? These are the same people who go before congress and suddenly develop very bad memories.

Aren't these the same directors who (for Enron, Worldcom/MCI, Adelphia Communications, etc) claimed that they had no idea that their companies were operating deeply in the red and that their quarterly earnings reports weren't worth the paper they were printed on? These are the same people who go before congress and suddenly develop very bad memories.

No, they're different directors. That lot WAS jailed - and they were jailed because of THEIR decisions, not those of their underlings.

CEOs and their cohorts make very good money to direct and lead their companies, but they are not personally responsible for the results of their leadership and direction.Boards of Directors are supposed to be outside overseers who make sure those INSIDE the company are not blinded by internal goals and policies or politics; they are PAID to provide an outside view and unbiased viewpoint.

My point is that there is already several layers of 'leadership' that are supposed to be providing adhearance to standards

Let me clue you in how this works in many corporations.The lot that makes up the top level management is usually small. You know each other. You see each other on various occasions. Doesn't it strike you as odd that every time some manager needs to "take a break" because his blunders were too obvious that miraculously someone from abroad comes in to take over? Guess what he did there. He needed a break.

The group is small and very selective who it allows into its ranks. You don't just get a ton of degrees fr

Who would take a job where you could be held personally liable for any mistake your subordinates may do? You have a company where the size is small enough that you can check everything, I guess, or you wouldn't be taking that responsibility, but would you really want to be personally liable if you had 1500 employees? Would you be able to check all their work for flaws?

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?

I tend to agree with you, especially since the problem didn't kill anyone. But, some questions remain - we don't know how much influence that primary investor had over operations. What are the chances that he will just open up shop again under a different corporate charter and continue the same sort of poor practices that got his first company in trouble?

I think corporate death like this is a good thing if it results in the rest of the industry internalizing the consequences of poor practices. But if th

It's been over a year since I last read the HIPAA regulations, but its possible that whomever was responsible for the coding problem could face fines and/or jail time. Personally, I think it's unlikely that it would happen since there was no malice involved, but I'm not quite sure how the laws are written, so if somebody decides to seriously press the matter, we may yet see some people getting in trouble.

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?

It's not at all clear that they've been punished. And there has been no restitution to the injured parties.

Hypothetically; a company makes a program that makes it super easy to do stock transactions, and makes a billion dollars selling it. Then one day it's discovered that there's a vulnerability that allow

What you describe is of course an undesirable (to say the least) turn of events. However, I find it unlikely that there is no failsafe for this. How do you "fold" a company and what is involved? Can you dissolve a company if you know a lawsuit is coming? At what point are you unable to dissolve a company so that you lose no money?

Otherwise this seems like the perfect failsafe for any corporation when a large lawsuit is pending. Dissolve the company, reconstruct it in a new name and continue business as usu

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?

Well, the problem is that when corporations fold, what happens is that the Board Of Directors winds up leaving with multi-million dollar severance packages, while everyone else is thrown into the street. Some of the severance packages are so great as to make it almost more profitable for some individuals to

In my opinion, this company has already been punished for their mistake. They exist no more. The employees who made the mistake have already lost their jobs. What would be the purpose of suing? Revenge?

Star wars fan heh? I suppose when Darth Vader killed the Emperor, all his sins were forgiven as well? All the people he killed, planets and ship destroyed, all forgotten?

You bastard!!

But really, how is this much punishment? They will just start up another company, slightly different name, and keep doing the s

We can debate the merits of piercing the corporate veil for civil liability, but talking about "punishment" in this context is a red herring.

I disagree. Suing individuals for a mistake like this would be revenge and would serve no other purpose than giving some people a misplaced sense of "justice". My question (largely rhetorical in nature) was more regarding the intent of suing someone rather than the purpose of any legal system. The governmental branches mostly have very lofty purposes which just as oft

A judge can reinstate a business for the duration of a trial though, even if it was dissolved (with no objections) through the normal channels.

Just because your business was officially dissolved (through the Secretary of State's office) doesn't mean that you're off the hook for bad shit you pulled.

If an employee or contractor was found to be negligent or acting outside of their role within the corporation, they can be found personally liable. That usually results in employee/contractor suing the business and vice versa.

I would bet that even the investor did so only through an INC. It is this lack of responsibility that is occurring in incs and politics which are destroying society. IMHO, it would behoove the country (and perhaps countries) to re-do corporate laws in a fashion that holds boards/CEO, and even investors responsible.

One interesting side note about this is that corporations are suppose to have nearly all the same rights as humans. But they do not have the same responsibility. That is, they can not be jailed f

Actually, I'd like to see the rights of corporations curtailed. There are actually good reasons for shielding directors, officers, and sharholders (though there are bad reasons, too). I say we make corps less powerful first, then deal with the internals.

"Nobody is held accountable for the actions of a corporation. The board of directors and all officers should be held personally liable."That's really not going to work too well in a country where you still have the death penalty. Who's going to want to be a director? You are going to have to go round executing a lot of CEOs every time bridges collapse, trains crash, etc. Mind you I suppose that's what happens in China.

Though I take the point you're making in spirit. We had some train crashes in the UK over

At the salaries these places pay, there will be people knocking at the door. And I wouldn't worry too much about the death penalty - captial murder has very narrow limits. I think the CxO would still have to stalk and kill someone to be eligible.

Tom Lawry, the CEO of Verus, is someone I've known for over ten years. He used to work for our healthcare organization and was one of the first people to "get it" over the Internet. He pushed for the formation of our web services team and sold the organization on making an Intranet when the whole thing was seen as a big fad.

Afterwards he went on to form his own company, but still hung around as a consultant. He wasn't particularly technical, but was very good at navigating through the political issues that often come up with organizational change. For example, switching from paper to online job applications was fairly exciting, if only getting our various regions to agree on a single form.

In later years, we had our disagreements with Tom. I wasn't too happy on how he assisted with our Internet site (his organization was starting to get into the web design business). As a person, he was always kind and thoughtful, despite his various business endeavors. He'd talk about his kid, how expensive going out to a movie in Seattle was getting, or tell stories about the Sisters from his time working at our organization (we're a Catholic healthcare organization).

We were actually just starting to sign up to use his latest product (a clinic billing system). He was partnering with our medical record system vendor and it seemed reasonably good. Fortunately we didn't have any security breaches related to this incident, but it seems to have been blind luck to some degree.

I think it's impossible for any CEO, even if they have a technical background, to be aware of every technical issue within their organization. In any complex endeavor, there's just too much going on. At this point, it seems like Tom has suffered quite a bit already. He's lost the business he's spent a decade growing. Prosecutors are looking into criminal charges. I don't know how he'll recover professionally. I'm sure he'll spend the rest of his life second-guessing what he should have done better. Hired different people? Brought in an outside auditor?

For me, it was a reminder that everything can just disappear in a flash. Cherish what you've got.

It depends on the type of organization it was, and where it was founded. Like it or not, forming a corporation or LLC is often done to specifically shield founding/leadership individuals from liability of the company. And to a large extent, it does.

I'd start with the ex-CEO. The 'company' did not make decisions, people did. They should be held accountable.

If accountability is what you want then why are you looking at the CEO? Shouldn't the technician who left the router down be personally liable? You could say that the CEO had the responsibility for ensuring methods were in place to prevent this. You could also say that the data was the responsibility of the hospital and paying a contractor does not eliminate that responsibility.

Do they really? Remember that the price is rather more than a number written on a ticket - you need to look at the value of what you're buying too. For instance, I buy most of my groceries in small independent shops rather than supermarkets, because I get better value for money. Yes, the number at the bottom of the receipt is a little higher, but the quality of the produce is much higher.

HIPPA laws are no joke. There are serious fines and even criminal penalties for letting confidential patient records out. It's so serious that companies working with health care data often have special training programs for their employees that handle any sort of hospital data -- even for IT workers.

Verus probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA.

Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.

Notice that "knowingly" statement?

Sorry, but I think you are wrong on the "probably folded to keep from getting heavily penalized and/or to prevent its directors from being criminally prosecuted under HIPPA". FTA, it's more likely they folded from lack of funding -- as their primary investor pulled out (most likely due to not wanting to tarnish THEIR name...

The problem is, people are going to be suing the hospital for allowing their information to be let out into the wild. If Verus is no longer there for the hospitals to sue, then they don't stand to recoup any losses suffered when the plaintiffs win these lawsuits, and as a result the hospitals have to shell out hard-earned cash to make these people go away. End result: medical care costs go up or hospitals may close. Litigation is not always the answer, but in this case, it was the only way to make sure that

I would think that if Verus is referring people to an alternate service, there would be some sort of contractual agreement between the two. The investors might have to assume some liability for preventing legal redress of problems.

For that matter, I would the federal government would be all over it for violation of HIPA regulations.

Read the article. It was a single mistake -- leaving a firewall down after performing a transfer of data from one server to another. But, why would you need to take down a firewall to transfer data? Set up a VPN, or better yet, use hard drives and old-fashioned sneakernet to transfer the data.

What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).

What the vendor really needed was a security audit by an external security firm. I bet you will see more of that in its competitors (or ex-competitors).

I bet you won't. Why? Because their competitors are slapping each other on the back, laughing themselves silly, and convincing themselves it won't happen to them, their IT guys aren't that dumb. Unfortunately, with the given state of IT talent, this is going to happen to one of them next -- not this precise failure, mind you, but something similar. Data security is a joke right now, and not just for hospitals. Until there is a universal outcry and until companies that cause data breaches are hit in the wa

Yeah, but after all the back-slapping and laughing-themselves-silly, somebody is going to get the bright idea that a security audit would be a great marketing tool. "You should hire us because we're secure. Really -- just ask !" And some customers will notice.

Still stupid. What were they transferring with, unsecured Samba? Anonymous FTP? Windows File sharing? And why were they transferring files in the first place? Secure files should reside on one machine or cluster, with nightly (or whatever is appropriate) backups. Two locations = two times the security risk.Sometimes you have to take that risk (a redundant colo or something), but in that case you have a secure medium for file transfers and it should happen pretty damn often if not constantly...Certainly not

Turning off the firewall is not as uncommon as you might think, especially at smaller companies where the inexperienced network administrator (the company didn't want to shell out for a decent admin) is under pressure from above to just "make it work" or "turn off the firewall so that our sales drone can demo the product to a client". The managers attempt to override objections from the engineers with promises that, "it is only for 15 minutes" or other false assurances, as if the engineers are only issuing

, all of the data losses can now be attributed to a single incident, in which Verus employees left a firewall down following the transfer of data from one server to another,

I confess, I am not someone who works professionally in the IT field, so I may be off the mark here, but can someone explain a situation where a computer would need to have its firewall dropped totally merely to transfer data from one system to another? I guess it just sounds a little unusual to me. Is this a systemic flaw in the way these systems were being administered or is this someone leaving out an obviously crucial step in an otherwise routine operation?

can someone explain a situation where a computer would need to have its firewall dropped totally merely to transfer data from one system to another?

A) Laziness (didn't want to set up a VPN or just open the necessary ports)
B) PEBKAC (didn't know how to do the above, or at least do it properly)
C) ID Ten T (knew how to do it, but didn't think it was a "big deal")
D) Some combination of A, B and C

While reports of the breaches have been issued in dribs and drabs, all of the data losses can now be attributed to a single incident, in which Verus employees left a firewall down following the transfer of data from one server to another, according to David Levin, vice president of marketing at MedSeek.

Can someone explain to me why you would need to open EVERY PORT on a computer to transfer data across two machines? Is there any possible reason why this would be considered? Seriously?

Looking at the clues here: File transfer + Firewall + needed to drop firewall... I'd say it was probably someone who couldn't figure out passive ftp. Needless to say they were transferring the data without encryption in the first place.

...I do know a thing or two about corporate law, having served on a couple of corporate boards.Granted this may vary a bit from state to state, but directors and executives of a corporation, and sometimes, depending on the circumstances, the investors, do not get total automatic blanket immunity from prosecution by virtue of incorporating. If the hospitals here can show there was willful negligence, and not simply "someone fucked up", they can go after the directors and executives for every penny they have

Of course the knee jerk reaction is to make corporations more accountable, raise the risks for the owners, etc. As others have pointed out, no one would want to run a corporation where they are liable not just for doing their job, but being sure that no mistakes were made by anyone else (like the IT worker turning off a firewall, or the janitor that doesn't put down a wet floor sign). Take the current executive pay and bump it up by a factor of 10. Honestly, all the barriers, rules, legal risk, etc are part of the reason big companies have gotten so big.

Also, lets not forget that if the executives really did something wrong, closing the business isn't enough. There's still a legal record of who owned the business when the breach occurred. What the hospitals are upset about is that the investors stopped putting money into the company which they could try to get their hands on. The investors already lost because the company folded, they never saw a return on their money, and probably lost their principle, too. As did the shareholders (stock=0), employees (no unemployed, a few of them rightfully so), executives (with a black mark on their record for something they didn't do), etc. Anyone who walks away from a folded company as a winner either did nothing wrong, scammed the system, or was really good and didn't get caught. None of which appears to have happened here.

If you want to be anti-big business, you need to cut down the barriers so that "locally owned" has a fighting chance against the "benefits of scalability".

There is ALWAYS someone to sue. A corporation is a legal fiction. In most, if not all states in the US, corporations continue to have an existence to sue or be sued for three years after ceasing business operations. In the right cases, courts will readily disregard the existence of a corporation (or LLC, LLP, or other limited liability entity) to reach the individuals (managers / shareholders / sometimes even investors) who ran the company.

Sadly you are right. The whole sue for everything mentality is out of control here. There is no personal responsibility for anything now days. It's always someone else's fault so sue them. Trial lawyers will be the death of this country!

I hate to admit it, but a few years ago I did an update on a Fedora box which renamed protocol 50 from ipv6-crypt to esp or something of the sort. Due to this, the firewall rules failed to load at startup which left the outside portion of the network completely unfirewalled instead of nearly completely firewalled.

Now ordinarily this wouldn't be a huge problem as one should reasonably hope that even an unfirewalled system is secure. And indeed, the Windows 2000 webserver we had was reasonably secure. It was up to date with all the patches and running great. The ultimate attack vector had nothing to do with lack of patches but rather an ultra-weak password. You see, someone else had an account in the administrators group with a password of 121212. With the firewall being down this account could be used to log in to the SMB shares and thus execute anything with that account's privileges.

Fortunately, the webserver had absolutely nothing to do with the rest of the network which was behind a second firewall with a totally different authentication/directory system and a different set of usernames and passwords. So the attacker was able to get access to a webserver with nothing of any interest on it. It is at that point when I began to research how the hell he got in and realized that the firewall was not firewalling anything. Later on, we decided the 121212 password on an Administrators group account was the ultimate culprit.

This just goes to show you that a break-in can happen to anybody. Granted, in this story's case, taking down a firewall on purpose to transfer some data was probably not a good idea and could/should have been avoided. But that's a mistake, not an invitation to burn the perpetrator at the stake.

Ultimately, a security failure should result in a procedural change. In our case, checking that the firewall rules installed correctly at boot became part of the checklist of things to do when upgrading that server. We also changed the passwords on the webserver and implemented several new policies. Prior to the attack, the webserver passwords were a combination of knowable information like birthdate, hire date, and part of SSN. Their purpose was to secure read-only access to a site with company policy information so it wasn't thought they needed to be highly secure. Unfortunately, all of the users were full Windows users so for all we know it might not have been the weak password on the admin account but instead an disgruntled (ex-)employee coupled with a possible privilege elevation bug. Due to this, we changed all of the user's passwords to be random and moved all of the users out of the Users group and into a group that only allowed logins to the website and not on the console.

All that for a measily webserver with some simple read-only access to data that doesn't have to be all that secure. Now consider having a web application with critical data like patient reecords and several thousand users all from different hopsitals. That's basically an accident waiting to happen. If I were a company doing that, I'd be sure to have a huge insurance policy to cover the liabilities and/or make damn sure the contracts with customers indemnified the company against lawsuits for accidental breaches.

This Hospital had 30,000 patients data exposed. There is no mention of it in an easy, quick to find location on their website [skylakes.org]. This is 30,000 patients exposed in a town of about 40,000 people... Our local newspaper had a very, very small article on it that looked like it was written by the hospital PR person.. Good god I hate small towns..

A government regulator at a former job once told me that "You can outsource the work, but not the responsibility". Those are wise words that the managers of that hospital should heed.

Companies seem to think that if they hire someone else to do the work, they are not responsible for the quality of that work.

Take Mattel - they have Chinese companies building their products, but not inspecting their work. Thanks to their lack of vendor controls, kids are choking on parts, and getting lead poisoning.

Companies need to realize that in-house IT is the only way to ensure that your internal standards are met. Outsourcing has its place, but strict quality control / vendor management policies need to be in place to ensure the work is of good quality.

I just love though how the summary makes it out how it's a horrible thing that the Hospitals cant sue anyone. Oh the Humanity!

What is your point?

What if it was worded "none of the responsible parties were there to accept the consequences" or "those that caused the problem escaped without repercussions, while others had to pay for the costs of their negligence"?